It's because all of your resources are loaded via HTTP (the "http://" is hard-coded in the HTML source). Current browsers won't allow potentially dangerous calls (particularly JavaScript, but that would also include anything scriptable or capable of calling external URLs, which would include SVG images, CSS, etc.) over HTTP when the site is using HTTPS. If you have developer tools installed in your browser (default in Chrome, optional in Firefox and and add-on for IE), you should be able to see a lot of "not gonna let that happen" warnings in the page load details.
I'm not familiar enough with WordPress to tell you what settings you need to change and where -- it could be a fundamental incompatibility with Cloudflare's SSL method (since the site is accessed from Cloudflare using HTTP even though the user is accessing what Cloudflare serves using HTTPS, and WP may be adding the "http://" to the source based on that). I'd check with the WP community to see if there's a way to have the URIs served with a "//" (protocol-independent, no http: or https: prefix) schema.
